Switch to a recent version of a supported Jsch fork (#711)

The version of JSch bundled in the plugin has not been maintained in a
few years so has not kept up-to-date with newer cryptographic keys,
ciphers, and signatures. This causes challenges for users attempting to
use Git with configuration using up-to-date cryptographic
recommendations, as the library only supports SHA1 signatures for RSA
which distributions like OpenSSH have stopped supporting.

The JSch implementation has been switched to an actively maintained fork
and an up-to-date version of BouncyCastle included in the dependencies
to ensure elliptic curves and recent cipher suites are available. The
existing RemoteRejectionTest has been altered to use public key
authentication and an up-to-date container running a recent version of
OpenSSH to allow realistic connectivity testing of remote Git over SSH
connections.

As the Jsch distribution is a multi-version JAR including Java 16 class
files, the plugin has had to be updated to Gradle 7 as the ASM version
used in Gradle 6 is not compatible with Java 16 classes.

README.md

@@ -21,7 +21,7 @@ a release version. If there were any commits after last tag, project is in SNAPS
 intuitive philosophy, alongside with [Semantic Versioning](http://semver.org/) rules, makes it a lot easier to manage
 project versions along SCM tag versions.
 
-JDK11+ & Gradle 6+ required.
+JDK11+ & Gradle 7+ required.
 
 ## Basic usage
 

build.gradle.kts

@@ -49,7 +49,7 @@ sourceSets {
 }
 
 val jgitVersion = "6.8.0.202311291450-r"
-val jschVersion = "0.1.55"
+val jschVersion = "0.2.16"
 val jschAgentVersion = "0.0.9"
 
 dependencies {
@@ -60,22 +60,21 @@ dependencies {
     runtimeOnly("org.eclipse.jgit:org.eclipse.jgit.gpg.bc:$jgitVersion")
 
     implementation("org.eclipse.jgit:org.eclipse.jgit:$jgitVersion")
-    implementation("org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:$jgitVersion")
-    implementation("com.jcraft:jsch:$jschVersion")
-    implementation("com.jcraft:jsch.agentproxy.core:$jschAgentVersion")
-    implementation("com.jcraft:jsch.agentproxy.jsch:$jschAgentVersion")
-    implementation("com.jcraft:jsch.agentproxy.sshagent:$jschAgentVersion")
-    implementation("com.jcraft:jsch.agentproxy.pageant:$jschAgentVersion")
-    implementation("com.jcraft:jsch.agentproxy.usocket-jna:$jschAgentVersion")
-    implementation("com.jcraft:jsch.agentproxy.usocket-nc:$jschAgentVersion")
+    implementation("org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:$jgitVersion")  {
+        exclude("com.jcraft", "jsch")
+    }
+    implementation("com.github.mwiede:jsch:$jschVersion")
     implementation("com.github.zafarkhaja:java-semver:0.9.0")
+    runtimeOnly("org.bouncycastle:bcprov-jdk18on:1.77")
+    runtimeOnly("com.kohlschutter.junixsocket:junixsocket-core:2.8.3")
+    runtimeOnly("net.java.dev.jna:jna-platform:5.14.0")
 
     testImplementation("org.ajoberstar.grgit:grgit-core:4.1.0") {
         exclude("org.eclipse.jgit", "org.eclipse.jgit.ui")
         exclude("org.eclipse.jgit", "org.eclipse.jgit")
     }
     testImplementation("org.testcontainers:spock:1.17.6")
-    testImplementation("org.spockframework:spock-core:2.2-groovy-2.5")
+    testImplementation("org.spockframework:spock-core:2.3-groovy-3.0")
     testImplementation("cglib:cglib-nodep:3.3.0")
     testImplementation("org.objenesis:objenesis:3.3")
     testImplementation("org.apache.sshd:sshd-core:2.12.0")
@@ -181,13 +180,14 @@ nexusPublishing {
     }
 }
 
-if (System.getenv("GPG_KEY_ID") != null) {
-    signing {
-        useInMemoryPgpKeys(
-            System.getenv("GPG_KEY_ID"),
-            System.getenv("GPG_PRIVATE_KEY"),
-            System.getenv("GPG_PRIVATE_KEY_PASSWORD")
-        )
-        sign(publishing.publications)
+signing {
+    setRequired {
+        System.getenv("GPG_KEY_ID") != null
     }
+    useInMemoryPgpKeys(
+        System.getenv("GPG_KEY_ID"),
+        System.getenv("GPG_PRIVATE_KEY"),
+        System.getenv("GPG_PRIVATE_KEY_PASSWORD")
+    )
+    sign(publishing.publications)
 }

docker/Dockerfile

@@ -1,13 +1,13 @@
-FROM jkarlos/git-server-docker
+FROM rockstorm/git-server:2.43
 
-RUN passwd -d git \
-  && sed -i 's/^PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config \
-  && echo "PermitEmptyPasswords yes" >> /etc/ssh/sshd_config \
-  && ls /etc/init.d \
-  && mkdir -p repos \
-  && git init --bare repos/rejecting-repo \
-  && echo -e "#!/bin/sh\necho 'I reject this push!' >&2\nexit 1" > repos/rejecting-repo/hooks/pre-receive \
-  && chmod +x repos/rejecting-repo/hooks/pre-receive \
-  && sh /etc/init.d/sshd restart
+RUN mkdir -p /srv/git/repos/rejecting-repo \
+  && mkdir -p /home/git/.ssh \
+  && echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCu0nkKWfkHn7bqz4VwFNORWZYZp1jKuiom/E3I5XzGMZTmo2M9TWIRGPsx1h+5GYnFiGo8DYaJv1T//nnE2lAWJ7e9Cj9dJQ5wx3EwJc9twHEzBF8hstpzCZS2UVlsWlkKkVwH8py54wh/xoG1mcAH/am5QBxcFarHqmMaN9YU6tXv2ipbpd5BsXUDvh0WOS/j/iylD2ACUYe+iBzC/FrZDeJR6Kkbomb+1Pxr7ffail5WzihpHcF6lR1hG98f8pDtJUo00n5mmZPp3ZxFmssIHbv9ZdU6x0vgEs9qBO1p0tILhVLhNHq3oLumWRtEzdH7AP1VjNCQ3aMy4MpJo+xUHD28btWS5N4wVpAQCZqVu5ucz/5jnsdluQVEd4grUu4nKgFiHPA0/o938fDO7tO2HOp3QhdFK+zlP6Q0H4XOZTk3kYn+9yymT294lqM+NeFApSdGSCROJI5HZQaQJX2tkjAy5eJYQcBzko6+KVL+mWZ8/D54NJX0O87FN0205NM= user@host" >> /home/git/.ssh/authorized_keys \
+  && chown -R git:git /home/git/.ssh \
+  && chmod 700 /home/git/.ssh \
+  && chmod 600 /home/git/.ssh/authorized_keys \
+  && git init --bare /srv/git/repos/rejecting-repo \
+  && echo -e "#!/bin/sh\necho 'I reject this push!' >&2\nexit 1" > /srv/git/repos/rejecting-repo/hooks/pre-receive \
+  && chmod +x /srv/git/repos/rejecting-repo/hooks/pre-receive
 
-CMD ["sh", "start.sh"]
+CMD ["/usr/sbin/sshd", "-D"]

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.9.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists